Using secret questions to access forgotten passwords isn't all that secure, according to a new study of Google.
A whitepaper [PDF] που ονομάζεται "Secrets, Lies, and Account Recovery: Lessons from Using Personal Knowledge Questions at Google" ερευνώντας τα δεδομένα εκατομμυρίων χρηστών κατέληξε στο συμπέρασμα ότι η συγκεκριμένη πρακτική δεν είναι μόνο αναποτελεσματική, αλλά θέτει και σε κίνδυνο την ασφάλεια των λογαριασμών.
The idea seems quite reasonable: if someone has forgotten his password, he can recover it with a question that the answer is supposed to know only him.
The problem; Most can not remember the answer, because they have often been lying to themselves in the belief that they will make the system safer. Of course at that moment they do not realize that they will forget the fake answer very quickly.
Another reference of the study: what we think is our favorite meal today may have changed when you try to retrieve your query password. If asked after a month, there's a 74% chance you'll remember. If you are asked after three months the probability that you will remember the answer is now fifty-fifty.
So what is the best question to remember? The city of birth, according to Google employees, with an overall 80,1% success rate. Second best is the name your father's
But the researchers point out that these queries (and many others) are inherently insecure, since it's fairly easy for someone else to obtain this information if they have your name.
The study also presents some interesting statistics on how easy it can be to guess the answers. For example, with just 10 efforts one can guess correctly the 39% of a city in Korea (for asking the city you were born), as there are not many major cities in Korea.
Similarly, if you use your father's name is not so safe.
So what is the ending?
Two things:
First, we humans remain pretty stupid, while at the same time we think we are very smart.
Secondly, the best solution is to use SMS or e-mail to recover passwords although it is quite convenient for its purpose companys (data collection)
"Οι μυστικές ερωτήσεις μπορούν να χρησιμοποιούνται όταν συνδυάζονται με άλλα μέτρα" αναφέρει η μελέτη.